SAE: Rename and move ECC/FFC functions to be next to each other
This makes it easier to see where there is separate implementation for ECC and FFC groups. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
4ef34a9960
commit
3b0ffebcda
1 changed files with 168 additions and 184 deletions
352
src/common/sae.c
352
src/common/sae.c
|
|
@ -177,8 +177,8 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
|
|||
}
|
||||
|
||||
|
||||
static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed,
|
||||
struct crypto_ec_point *pwe)
|
||||
static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
|
||||
struct crypto_ec_point *pwe)
|
||||
{
|
||||
u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN];
|
||||
struct crypto_bignum *x;
|
||||
|
|
@ -221,135 +221,8 @@ static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed,
|
|||
}
|
||||
|
||||
|
||||
static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
|
||||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len)
|
||||
{
|
||||
u8 counter, k = 4;
|
||||
u8 addrs[2 * ETH_ALEN];
|
||||
const u8 *addr[2];
|
||||
size_t len[2];
|
||||
int found = 0;
|
||||
struct crypto_ec_point *pwe_tmp;
|
||||
|
||||
if (sae->pwe_ecc == NULL) {
|
||||
sae->pwe_ecc = crypto_ec_point_init(sae->ec);
|
||||
if (sae->pwe_ecc == NULL)
|
||||
return -1;
|
||||
}
|
||||
pwe_tmp = crypto_ec_point_init(sae->ec);
|
||||
if (pwe_tmp == NULL)
|
||||
return -1;
|
||||
|
||||
wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
|
||||
password, password_len);
|
||||
|
||||
/*
|
||||
* H(salt, ikm) = HMAC-SHA256(salt, ikm)
|
||||
* pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
|
||||
* password || counter)
|
||||
*/
|
||||
sae_pwd_seed_key(addr1, addr2, addrs);
|
||||
|
||||
addr[0] = password;
|
||||
len[0] = password_len;
|
||||
addr[1] = &counter;
|
||||
len[1] = sizeof(counter);
|
||||
|
||||
/*
|
||||
* Continue for at least k iterations to protect against side-channel
|
||||
* attacks that attempt to determine the number of iterations required
|
||||
* in the loop.
|
||||
*/
|
||||
for (counter = 1; counter < k || !found; counter++) {
|
||||
u8 pwd_seed[SHA256_MAC_LEN];
|
||||
int res;
|
||||
|
||||
if (counter > 200) {
|
||||
/* This should not happen in practice */
|
||||
wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
|
||||
break;
|
||||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
|
||||
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
|
||||
pwd_seed) < 0)
|
||||
break;
|
||||
res = sae_test_pwd_seed(sae, pwd_seed,
|
||||
found ? pwe_tmp : sae->pwe_ecc);
|
||||
if (res < 0)
|
||||
break;
|
||||
if (res == 0)
|
||||
continue;
|
||||
if (found) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was "
|
||||
"already selected)");
|
||||
} else {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
|
||||
found = 1;
|
||||
}
|
||||
}
|
||||
|
||||
crypto_ec_point_deinit(pwe_tmp, 1);
|
||||
|
||||
return found ? 0 : -1;
|
||||
}
|
||||
|
||||
|
||||
static int sae_derive_commit(struct sae_data *sae)
|
||||
{
|
||||
struct crypto_bignum *mask;
|
||||
int ret = -1;
|
||||
|
||||
mask = sae_get_rand_and_mask(sae);
|
||||
if (mask == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* commit-scalar = (rand + mask) modulo r */
|
||||
if (!sae->own_commit_scalar) {
|
||||
sae->own_commit_scalar = crypto_bignum_init();
|
||||
if (!sae->own_commit_scalar)
|
||||
goto fail;
|
||||
}
|
||||
crypto_bignum_add(sae->sae_rand, mask, sae->own_commit_scalar);
|
||||
crypto_bignum_mod(sae->own_commit_scalar, sae->order,
|
||||
sae->own_commit_scalar);
|
||||
|
||||
/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
|
||||
if (!sae->own_commit_element_ecc) {
|
||||
sae->own_commit_element_ecc = crypto_ec_point_init(sae->ec);
|
||||
if (!sae->own_commit_element_ecc)
|
||||
goto fail;
|
||||
}
|
||||
if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, mask,
|
||||
sae->own_commit_element_ecc) < 0 ||
|
||||
crypto_ec_point_invert(sae->ec, sae->own_commit_element_ecc) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
fail:
|
||||
crypto_bignum_deinit(mask, 1);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
static int sae_prepare_commit_ec(const u8 *addr1, const u8 *addr2,
|
||||
const u8 *password, size_t password_len,
|
||||
struct sae_data *sae)
|
||||
{
|
||||
if (sae_derive_pwe(sae, addr1, addr2, password, password_len) < 0 ||
|
||||
sae_derive_commit(sae) < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
|
||||
struct crypto_bignum *pwe)
|
||||
static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
|
||||
struct crypto_bignum *pwe)
|
||||
{
|
||||
u8 pwd_value[SAE_MAX_PRIME_LEN], pwe_bin[SAE_MAX_PRIME_LEN];
|
||||
size_t bits = sae->prime_len * 8;
|
||||
|
|
@ -428,9 +301,84 @@ static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
|
|||
}
|
||||
|
||||
|
||||
static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
|
||||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len)
|
||||
static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
|
||||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len)
|
||||
{
|
||||
u8 counter, k = 4;
|
||||
u8 addrs[2 * ETH_ALEN];
|
||||
const u8 *addr[2];
|
||||
size_t len[2];
|
||||
int found = 0;
|
||||
struct crypto_ec_point *pwe_tmp;
|
||||
|
||||
if (sae->pwe_ecc == NULL) {
|
||||
sae->pwe_ecc = crypto_ec_point_init(sae->ec);
|
||||
if (sae->pwe_ecc == NULL)
|
||||
return -1;
|
||||
}
|
||||
pwe_tmp = crypto_ec_point_init(sae->ec);
|
||||
if (pwe_tmp == NULL)
|
||||
return -1;
|
||||
|
||||
wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
|
||||
password, password_len);
|
||||
|
||||
/*
|
||||
* H(salt, ikm) = HMAC-SHA256(salt, ikm)
|
||||
* pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
|
||||
* password || counter)
|
||||
*/
|
||||
sae_pwd_seed_key(addr1, addr2, addrs);
|
||||
|
||||
addr[0] = password;
|
||||
len[0] = password_len;
|
||||
addr[1] = &counter;
|
||||
len[1] = sizeof(counter);
|
||||
|
||||
/*
|
||||
* Continue for at least k iterations to protect against side-channel
|
||||
* attacks that attempt to determine the number of iterations required
|
||||
* in the loop.
|
||||
*/
|
||||
for (counter = 1; counter < k || !found; counter++) {
|
||||
u8 pwd_seed[SHA256_MAC_LEN];
|
||||
int res;
|
||||
|
||||
if (counter > 200) {
|
||||
/* This should not happen in practice */
|
||||
wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
|
||||
break;
|
||||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
|
||||
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
|
||||
pwd_seed) < 0)
|
||||
break;
|
||||
res = sae_test_pwd_seed_ecc(sae, pwd_seed,
|
||||
found ? pwe_tmp : sae->pwe_ecc);
|
||||
if (res < 0)
|
||||
break;
|
||||
if (res == 0)
|
||||
continue;
|
||||
if (found) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was "
|
||||
"already selected)");
|
||||
} else {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
|
||||
found = 1;
|
||||
}
|
||||
}
|
||||
|
||||
crypto_ec_point_deinit(pwe_tmp, 1);
|
||||
|
||||
return found ? 0 : -1;
|
||||
}
|
||||
|
||||
|
||||
static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
|
||||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len)
|
||||
{
|
||||
u8 counter;
|
||||
u8 addrs[2 * ETH_ALEN];
|
||||
|
|
@ -473,7 +421,7 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
|
|||
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
|
||||
pwd_seed) < 0)
|
||||
break;
|
||||
res = sae_test_pwd_seed_dh(sae, pwd_seed, sae->pwe_ffc);
|
||||
res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->pwe_ffc);
|
||||
if (res < 0)
|
||||
break;
|
||||
if (res > 0) {
|
||||
|
|
@ -486,7 +434,48 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
|
|||
}
|
||||
|
||||
|
||||
static int sae_derive_commit_dh(struct sae_data *sae)
|
||||
static int sae_derive_commit_ecc(struct sae_data *sae)
|
||||
{
|
||||
struct crypto_bignum *mask;
|
||||
int ret = -1;
|
||||
|
||||
mask = sae_get_rand_and_mask(sae);
|
||||
if (mask == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* commit-scalar = (rand + mask) modulo r */
|
||||
if (!sae->own_commit_scalar) {
|
||||
sae->own_commit_scalar = crypto_bignum_init();
|
||||
if (!sae->own_commit_scalar)
|
||||
goto fail;
|
||||
}
|
||||
crypto_bignum_add(sae->sae_rand, mask, sae->own_commit_scalar);
|
||||
crypto_bignum_mod(sae->own_commit_scalar, sae->order,
|
||||
sae->own_commit_scalar);
|
||||
|
||||
/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
|
||||
if (!sae->own_commit_element_ecc) {
|
||||
sae->own_commit_element_ecc = crypto_ec_point_init(sae->ec);
|
||||
if (!sae->own_commit_element_ecc)
|
||||
goto fail;
|
||||
}
|
||||
if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, mask,
|
||||
sae->own_commit_element_ecc) < 0 ||
|
||||
crypto_ec_point_invert(sae->ec, sae->own_commit_element_ecc) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
fail:
|
||||
crypto_bignum_deinit(mask, 1);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
static int sae_derive_commit_ffc(struct sae_data *sae)
|
||||
{
|
||||
struct crypto_bignum *mask;
|
||||
int ret = -1;
|
||||
|
|
@ -528,36 +517,31 @@ fail:
|
|||
}
|
||||
|
||||
|
||||
static int sae_prepare_commit_dh(const u8 *addr1, const u8 *addr2,
|
||||
const u8 *password, size_t password_len,
|
||||
struct sae_data *sae)
|
||||
{
|
||||
if (sae_derive_pwe_dh(sae, addr1, addr2, password, password_len) < 0 ||
|
||||
sae_derive_commit_dh(sae) < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
|
||||
const u8 *password, size_t password_len,
|
||||
struct sae_data *sae)
|
||||
{
|
||||
if (sae->ec) {
|
||||
return sae_prepare_commit_ec(addr1, addr2, password,
|
||||
password_len, sae);
|
||||
if (sae_derive_pwe_ecc(sae, addr1, addr2, password,
|
||||
password_len) < 0 ||
|
||||
sae_derive_commit_ecc(sae) < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (sae->dh) {
|
||||
return sae_prepare_commit_dh(addr1, addr2, password,
|
||||
password_len, sae);
|
||||
if (sae_derive_pwe_ffc(sae, addr1, addr2, password,
|
||||
password_len) < 0 ||
|
||||
sae_derive_commit_ffc(sae) < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
static int sae_derive_k_ec(struct sae_data *sae, u8 *k)
|
||||
static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
|
||||
{
|
||||
struct crypto_ec_point *K;
|
||||
int ret = -1;
|
||||
|
|
@ -599,7 +583,7 @@ fail:
|
|||
}
|
||||
|
||||
|
||||
static int sae_derive_k_dh(struct sae_data *sae, u8 *k)
|
||||
static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
|
||||
{
|
||||
struct crypto_bignum *K;
|
||||
int ret = -1;
|
||||
|
|
@ -638,8 +622,8 @@ fail:
|
|||
static int sae_derive_k(struct sae_data *sae, u8 *k)
|
||||
{
|
||||
if (sae->ec)
|
||||
return sae_derive_k_ec(sae, k);
|
||||
return sae_derive_k_dh(sae, k);
|
||||
return sae_derive_k_ecc(sae, k);
|
||||
return sae_derive_k_ffc(sae, k);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -826,35 +810,6 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
|
|||
}
|
||||
|
||||
|
||||
static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
|
||||
const u8 *end)
|
||||
{
|
||||
if (pos + sae->prime_len > end) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
|
||||
"commit-element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, sae->prime_len);
|
||||
|
||||
if (val_zero_or_one(pos, sae->prime_len)) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
crypto_bignum_deinit(sae->peer_commit_element_ffc, 0);
|
||||
sae->peer_commit_element_ffc = crypto_bignum_init_set(pos,
|
||||
sae->prime_len);
|
||||
if (sae->peer_commit_element_ffc == NULL)
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
if (crypto_bignum_cmp(sae->peer_commit_element_ffc, sae->prime) >= 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
return WLAN_STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
|
||||
const u8 *end)
|
||||
{
|
||||
|
|
@ -893,6 +848,35 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
|
|||
}
|
||||
|
||||
|
||||
static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
|
||||
const u8 *end)
|
||||
{
|
||||
if (pos + sae->prime_len > end) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
|
||||
"commit-element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, sae->prime_len);
|
||||
|
||||
if (val_zero_or_one(pos, sae->prime_len)) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
crypto_bignum_deinit(sae->peer_commit_element_ffc, 0);
|
||||
sae->peer_commit_element_ffc = crypto_bignum_init_set(pos,
|
||||
sae->prime_len);
|
||||
if (sae->peer_commit_element_ffc == NULL)
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
if (crypto_bignum_cmp(sae->peer_commit_element_ffc, sae->prime) >= 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
return WLAN_STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos,
|
||||
const u8 *end)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue